The second value shouldn't be there, right? @JohnLaTwC

These are some of the techniques used in Emotet PowerShell to obfuscate the code to make the analysis difficult.

1. Using ` or ^ (escape character) in front of a character with no change in the result when starting PowerShell from cmd.exe:

• $YYU."DoWnlOadFIle"($asfc."ToStriNg"(), $SDC);

2. Using iex alias to invoke the PowerShell command:

• $env:comSpeC[4,26,25]-JoIn'') --> iex

• “PowerShell ${ENV:comspeC}[4,26,25]-join’ ‘ item (env:Opg).value)”

3. Strings are concatenate using ‘+’ to reduce readability:

• '6 http'+':'+'//'+'a'+'lian'+'.'+'d'+'e'+'/'+'4wBY'+'ki/@'

4. Strings encoded with ascii e.g [chaR]34:

• Replacing garbage character -repLACE '0mI',[chaR]96

5. File downloader or string downloader in macro

Detection point: ` , ^ or + for concatination
Detection point: env:comspec[4,26,25]
Detection point: -rep /rep
Detection point: DowloadFile, DownloadScript calls or http/s string in args

Compiled executables based on the current version in main branch

To inform you on the changes made with the merge of the yara-matching branch and John's GUI into master.

• The Raccine GUI is now a subfolder of the main project
• The installer uses %ProgramFiles% for the executables and %ProgramData% for logs and yara rules (and temp files of the YARA scanning process)
• The installer extends the PATH variable
• The installer adds RaccineSettings.exe to the Run key
• The installer starts RaccineSettings.exe
• The installer has a new option 4 to deactivate the GUI (kills process, removes startup entry, sets Registry key ShowGui to 0 so that Raccine.exe don't trigger an alert window anymore)
• yara64.exe is a new executable in the %ProgramFiles%\Raccine folder (in PATH)

FYI @JohnLaTwC @Eran-YT @Omodaka9375

Commit
cf3790c

I thought of adding a unit test project (GTEST, I have no experience with any other frameworks) , however, this will require splitting the Raccine project in VS into a Raccine & RaccineLib projects, where RaccineLib will contain the actual code, and Raccine will just be the executable.
What do you think?

Ransomware seeking to avoid this protection can simply call the VSS API directly rather than invoking vssadmin, e.g. IVssBackupComponents::DeleteSnapshots.

Hi,

We recently faced an issue regarding the return code of Raccine.
We have a supervision tool that rely on few powershell script return code to raise alerts. The problem is Raccine intercept this return code and always return 0 instead. Due to that, we lost supervision capabilities.

Will it be possible to change this behavior by replacing the current return code
return 0;
with the return code of the managed thread:

    DWORD threadExitcode = 0;
    // if we're in simulation mode or we didn't need to block the process, let it run
    if (configuration.log_only() || !bBlock) {
        if (hThread != INVALID_HANDLE_VALUE && hProcess != INVALID_HANDLE_VALUE) {

            ResumeThread(hThread);
            WaitForSingleObject(hProcess, INFINITE);
            GetExitCodeThread(hProcess, &threadExitcode);
        }
    }
    else {
        if (bBlock) {
            utils::killProcess(dwChildPid, 1);
        }
    }

    // Log events
    logSend(sListLogs);

    return threadExitcode;

This is a sample code of what can be done. I still didn't test it myself if it is working as excepted.

Regards

@Eran-YT : since your latest refactoring, not all suspended processes don't get resumed anymore

a385f30

It doesn't happen all the time, but in 50% of the cases that I've tested.

@Eran-YT : after merging changes from John, da I got offline, I noticed build problems on the yara-ext-vars branch, which we'd like to merge soon. Could you please check that branch and help us with the merge into your new code in main?

The first implementation of Yara support allowed multiple rule files to match against a command line. And the runyara.bat appended to the output:

@yara64.exe %1 %2 >> %2.out
Thus when the matches were logged, it logged all YARA files and all matching rules.

This PR [1] exits after the first match, so no other rule matches are returned. I could see this being an issue if one had a yara file for suspicious_powershell_commands.yar and another for ryuk_ransomware.yar. With this change, you would only see the first yara rule match and potentially not realize it's a more serious infection. I think we should change to match against all rules.

See:

    for (const std::filesystem::path& yara_rule : m_yara_rules) {
        if (run_yara_rule_on_file(yara_rule, target_file, command_line, out_yara_output)) {
            return true;  <<<<<<< exits after first match
        }
    }

[1] 4462922#diff-9cace7ee141689932f0a4ad89e8581bdbb8d13d9522a9c7b20b5cc40657c637b

We currently have only one example test that runs in the CI pipeline, we should write tests for all functions/classes

• Write tests for all functions/classes

• Add code coverage to CI pipeline

Today our installer ships yara64.exe to support our Yara rules. I think eventually we want to move to incorporating yara as a library so it's linked into raccine.exe. Some pros/cons to think through:

Pros for status quo:

1. Today getting a new drop of yara is as simple as taking the release binaries from the yara project and including them.

2. No need to build yara library ourselves or deal with keeping yara source in sync with its master

Cons (arguments for moving to a linked yaralib):

1. Every interception calls CreateProcess for each .yar rule--imagine when a user copies their favorite rule repo of 100 .yar rules in our rules directory. This is an expensive API. It's also a common interception point by local anti-virus and security programs. The more work you do in the CP code path, the more potential for conflicts and side effects down the road in deployment. Having a yara.lib would avoid the need for additional CreateProcess calls because all the yara checks would happen in raccine.exe. As raccine interception points grow, some of them may be invoked quite frequently--we already hook powershell. So we need to be thoughtful about this.

2. We can have better control over our use of Yara. Examples:

   1. We may want tighter runtime limits. When we add support for scanning memory #58, we may want bounds / timeouts on this (i.e. no more than 5 seconds). We would have more control when incorporating yara into our sources.
   2. We have limits today imposed by yara. We pass additional context for rules (e.g. process command line) and we do this through external definitions (passed to yara64.exe via -d params). Today yara limits us on the number we can pass (#define MAX_ARGS_EXT_VAR 32). We can either alter this limit or (better) write a yara module that exposes the additional properties (so we can do import context just like the pe module and add additional context in a more natural way).
      https://github.com/VirusTotal/yara/blob/7517bbdf8778c37fa494966b39623dc6c2ccfce9/cli/yara.c#L122

References:
Sources: https://github.com/VirusTotal/yara
Yara C API: https://yara.readthedocs.io/en/stable/capi.html
Visual Studio files: https://github.com/VirusTotal/yara/tree/master/windows

Another possible attack vector is to rapidly create a large number of snapshots which hit the default limit of 64 which then triggers windows to remove oldest ones until all the legitimate snapshots are gone.

Possible solution could be to:
a) require signing or password when creating new snapshot
b) minimum time interval when creating snapshots
c) simple cron-like snapshot scheduler built into Raccine, requiring a password to make changes

When running a program from a command prompt on a system with Raccine installed, yara64.exe will be attempted to be executed from the current directory. This can allow for unexpected code execution on a system with Raccine installed.

Steps to reproduce:

1. Make a directory called c:\tmp and go there in a command prompt.
2. Copy c:\windows\system32\calc.exe to c:\tmp\yara64.exe
3. In the CMD prompt in the c:\tmp directory, type: powershell

Actual results:
calc.exe spawns

Expected results:
yara64.exe should only be executed from the known directory where it is installed. Not from the current directory, nor from other directories that happen to be in the PATH.

If you try to override the yara rules directory, it will not do anything, as the value is read from the registry and then isn't used at all.
The configuration class should contain this value and pass it to the YaraRuleRunner instance inside EvaluateYaraRules

Until now, we use yara64.exe in run_yara.bat

We should add an option to run yara.exe as well, so that YARA matching also works on 32bit systems.

We could do this by:

• adding a switch in the .bat file
• adding a switch in Raccine.exe and add a runyara32.bat, which uses a 32bit executable
• handle this during installation (similar to the installation of Raccine.exe and Raccine_x86.exe)

I'd like to handle it during installation.

Note that if you run the hardening script along with Raccine (full option tested), then line 160 (https://github.com/Neo23x0/Raccine/blob/main/scripts/windows-hardening.bat#L160) will not allow the user to manually update rules (error output below). Changing the value to "Warn" resolves this (at the expense of some protection).

Hi,

I have installed on Server 2019 (Hyper-V Host):

• during normal operations including Veeam Backups it appeared that Raccine never spotted any issues to act upon
• I ran a simple test: vssadmin delete shadows /all - this caused a BSOD
• After checking the Event logs: nothing except an unexpected shutdown
• Check the dump file: complains about a Kernel Panic, no more
• It appears that the shadows copies were deleted

Today I ran another test after shutting down my VMs): vssadmin delete /all - the command completed successfully and the shadows were deleted.

Raccine is fully enabled (not simulation mode).

It appears that it is completely ineffective or not active, and doesn't even post anything to the Event Logs (other than the initial installation).

Am I missing something obvious?

I would expect the system to work on any modern Windows version, and also work regardless of the roles installed on the Server.

Please advise how I can proceed from here ...

Thanks in advance.

Currently the GUI branch doesn't compile, because a variable named cbData is used but not defined in the InitializeSettings function

Some suggestions for the windows hardening script:

Block remote commands

Disable DCOM
See (https://docs.microsoft.com/en-us/windows/win32/com/enabledcom)

REG.EXE ADD HKEY_LOCAL_MACHINE\Software\Microsoft\OLE /v EnableDCOM /t REG_SZ /d N /F

Block remote use of PSEXEC and similar tools that remotely install a temporary service.

See (https://twitter.com/JohnLaTwC/status/802218490404798464)

Reconfigure the security descriptor on the Service Control Manager endpoint to deny this right to remote users (S-1-5-2). This is not a service itself, but rather the SCM endpoint that PSEXEC and other tools must communicate with to call ChangeServiceConfig and related APIs. Adding a Deny ACE for NETWORK prevents remote use of this API while not interfering with local usage (by installers and local management tools).

See (https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-changeserviceconfiga)

In a batch file, add a Deny ACE to the existing SCM ACL:

FOR /F "usebackq tokens=2 delims=:" %%a IN (`sc.exe sdshow scmanager`) DO  sc.exe sdset scmanager D:(D;;0x00040002;;;NU)%%a

This results in an ACL like the following. Note ACE number zero:

viewsddl svc D:(D;;DCWD;;;NU)(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CC;;;S-1-15-3-1024-528118966-3876874398-709513571-1907873084-3598227634-3698730060-278077788-3990600205)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)

+ ACE[ 0]  : Deny : NT AUTHORITY\NETWORK 0x00040002   <<<<<< deny network SID
+   Perms : ( ChangeConf WDac )			    <<<<<< deny ChangeConfig and WriteDACL permission 
+   Inher : ( )

ACE[ 1]  : Allow : NT AUTHORITY\Authenticated Users 0x00000001
   Perms : ( QueryConf )
   Inher : ( )

ACE[ 2]  : Allow : NT AUTHORITY\INTERACTIVE 0x00020015
   Perms : ( QueryConf QueryStat Start RCtl )
   Inher : ( )

ACE[ 3]  : Allow : NT AUTHORITY\SERVICE 0x00020015
   Perms : ( QueryConf QueryStat Start RCtl )
   Inher : ( )

ACE[ 4]  : Allow : NT AUTHORITY\SYSTEM 0x00020035
   Perms : ( QueryConf QueryStat Start Stop RCtl )
   Inher : ( )

ACE[ 5]  : Allow : BUILTIN\Administrators 0x000F003F
   Perms : ( QueryConf ChangeConf QueryStat EnumDeps Start Stop Del RCtl WDac WOwn )
   Inher : ( )

ACE[ 6]  : Allow : Package\S-1-15-2-1 0x00000001
   Perms : ( QueryConf )
   Inher : ( )

ACE[ 7]  : Allow : (null)\S-1-15-3-1024-528118966-3876874398-709513571-1907873084-3598227634-3698730060-278077788-3990600205 0x00000001
   Perms : ( QueryConf )
   Inher : ( )

SACL[ 0]  : Sacl : \Everyone 0x000F003F
   Perms : ( QueryConf ChangeConf QueryStat EnumDeps Start Stop Del RCtl WDac WOwn )
   Inher : ( Fail )

SACL[ 1]  : Sacl : \Everyone 0x10000000
   Perms : ( GenericAll )
   Inher : ( ObjectInherit InheritOnly Fail )

And add mshta.exe to the list:

Netsh.exe advfirewall firewall add rule name="Block mshta.exe netconns" program="%systemroot%\system32\mshta.exe" protocol=tcp dir=out enable=yes action=block profile=any

Some more fodder for future ideas by consulting this LOLBAS/BIN list:

(https://twitter.com/bohops/status/1322906881862602754)

With the current implementation, any malware named wininit.exe or winlogon.exe (at the time of opening this issue, these were the only 2 entries in the allow list) will result in BOOL isallowlisted to return True.

It will be more prudent to match the entire file path of these EXEs instead.

Documentation suggests a way to get the full file path - https://docs.microsoft.com/en-us/windows/win32/api/tlhelp32/ns-tlhelp32-processentry32

@Eran-YT

There's a problem in blocking mode. Raccine is unable to end itself.

Caused at this position by an invalid handle.

In an article from Unit42 it is described that at least Prometheus / Thanos Ransomware actively tries killing Raccine processes in order to operate. https://unit42.paloaltonetworks.com/prometheus-ransomware/

It seems that Raccine will be needing advanced evasion techniques starting now in order to still be effective.

Note: Working on the new branch yara-ext-vars with changes by @JohnLaTwC

I am trying to figure out, why the rule matching process gets the wrong YARA rule directory.
It uses C:\ProgramData\Raccine instead of C:\ProgramData\Raccine\yara

Can someone explain to me, why the class definition expects two variables: yara_rules_dir, raccine_program_directory
https://github.com/Neo23x0/Raccine/blob/yara-ext-vars/source/RaccineLib/YaraRuleRunner.cpp#L7

and the object instantiated from that class uses different values? https://github.com/Neo23x0/Raccine/blob/yara-ext-vars/source/RaccineLib/raccine.cpp#L49
Is that the wrong location?

I think this is preventing it from running at all, because vssadmin delete /all in powershell did not kill the parent process.

When deployed, RaccineSettings produces a dangling Form1 window even without interaction

Earlier I was on Termius running a few SFTP sessions, when I tried launching a remote file in Notepad++. Upon attempting this, Termius shut off in a way that made me think it had crashed. Tried a few more times, with no success.

I'm just about to get some shut eye for work tomorrow, when I see a Raccine popup linking to the Termius window I had open 5 hours prior. Turns out, Termius launches Notepad++, along with any other specified program, in the stupidest way I think I've ever seen. I don't blame Raccine for the false positive, I blame Termius for the ludicrous method they have chosen to launch programs.

Detection:

21/08/2022 18:33:09
Raccine detected malicious activity:
C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell -NoProfile -NonInteractive –ExecutionPolicy Bypass -EncodedCommand UwB0AGEAcgB0ACAAIgBgACIAUwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAE4AbwB0AGUAcABhAGQAKwArAFwAbgBvAHQAZQBwAGEAZAArACsALgBlAHgAZQBgACIAIgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAiAGAAIgBDADoAXABVAHMAZQByAHMAXAB0AGgAZQBiAGkAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAHQAbQBwAC0AMgAzADgAMQA2AC0AcABRADIAUABTAFQAMwA5AGgAQQBiAHMAXABpAG4AZABlAHgALgBoAHQAbQBsAGAAIgAiAA== 

You can find the full detection log here.

After decoding the Base64 string, it was quickly found that it wasn't malicious at all.

In other news, is this something that can be added as an exception in the repo? Or, would I need to exempt Termius from Raccine rules manually?

yara64 errors out every second after installation with VCRUNTIME140.dll missing.
Windows 10 (latest), Raccine 1.2.1

Since the yara64.exe that we use also supports scanning of files and process memory, I'd like to add scans of the image files and process memory of every parent that we can find in the process tree* (* I know that process trees can be broken and unreliable - still, I'd like to add it)

The invocation for the image files in the process tree would be:

yara.exe -r [ruleset] [ImageFilePath]

The invocation to scan a certain process memory is:

yara.exe -r [ruleset] [PID]

https://yara.readthedocs.io/en/latest/commandline.html

We could use the rules from our signature-base repository. They are mostly battle tested and should produce false positives on process memory.

Notes:

• when using more than a handful of rules it would be necessary to concatenate all rules before applying them to avoid a loop over hundreds of rules AND to make use of the advantages of the Aho–Corasick algorithm used internally by YARA

I think you want dwIntegrityLevel >= SECURITY_MANDATORY_HIGH_RID && dwIntegrityLevel < SECURITY_MANDATORY_SYSTEM_RID

Currently as written, if the IL is System the code returns 3 (High) because of the >= check.

This would break your whitelist because you check for a value of 4

// Is the process running as SYSTEM
if (IntegrityLevel(hProcess) == 4) {

VSCode runs the following command when activating the PowerShell console in the tool:

ParentImage: C:\Program Files\Raccine\Raccine.exe
ParentCommandLine: "C:\Program Files\Raccine\Raccine.exe" C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command "Import-Module 'c:\Users\venom\.vscode\extensions\ms-vscode.powershell-2020.6.0\modules\PowerShellEditorServices\PowerShellEditorServices.psd1'; Start-EditorServices -HostName 'Visual Studio Code Host' -HostProfileId 'Microsoft.VSCode' -HostVersion '2020.6.0' -AdditionalModules @('PowerShellEditorServices.VSCode') -BundledModulesPath 'c:\Users\venom\.vscode\extensions\ms-vscode.powershell-2020.6.0\modules' -EnableConsoleRepl -StartupBanner \"=====> PowerShell Integrated Console v2020.6.0 <=====
\" -LogLevel 'Normal' -LogPath 'c:\Users\venom\.vscode\extensions\ms-vscode.powershell-2020.6.0\logs\1603817771-53060d3f-4aaa-471a-b244-75ec384fd3381603817770136\EditorServices.log' -SessionDetailsPath 'c:\Users\venom\.vscode\extensions\ms-vscode.powershell-2020.6.0\sessions\PSES-VSCode-9564-717768' -FeatureFlags @() "

Note that there's a line break after -StartupBanner \"=====> PowerShell Integrated Console v2020.6.0 <===== and before \" -LogLevel 'Normal', which is very strange.

I can also see this line break when I run it without Raccine intercepting (uninstalled Raccine) but in this case the invocation doesn't fail.

OriginalFileName: PowerShell.EXE
CommandLine: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command "Import-Module 'c:\Users\venom\.vscode\extensions\ms-vscode.powershell-2020.6.0\modules\PowerShellEditorServices\PowerShellEditorServices.psd1'; Start-EditorServices -HostName 'Visual Studio Code Host' -HostProfileId 'Microsoft.VSCode' -HostVersion '2020.6.0' -AdditionalModules @('PowerShellEditorServices.VSCode') -BundledModulesPath 'c:\Users\venom\.vscode\extensions\ms-vscode.powershell-2020.6.0\modules' -EnableConsoleRepl -StartupBanner \"=====> PowerShell Integrated Console v2020.6.0 <=====
\" -LogLevel 'Normal' -LogPath 'c:\Users\venom\.vscode\extensions\ms-vscode.powershell-2020.6.0\logs\1603818394-dddb2ceb-023c-4862-b7c2-d3695d91c4691603818393174\EditorServices.log' -SessionDetailsPath 'c:\Users\venom\.vscode\extensions\ms-vscode.powershell-2020.6.0\sessions\PSES-VSCode-12880-355229' -FeatureFlags @() "

This seems to be something to report to the VSCode team as well. @JohnLaTwC

The "raccine-reg-patch-uninstall.reg" does not include a line to remove the debugging entry for "net.exe".

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\net.exe]

@JohnLaTwC Some of the line breaks get lost when YARA rule match gets passed to the GUI

The code is currently C with some C++ parts, would you want to convert it to modern C++ code?

I can't figure out under which circumstances this "empty" message would be produced.
Could someone of you find the location where this happens?

@JohnLaTwC @Eran-YT @Omodaka9375 ?

wininit.exe and winlogon.exe run at SYSTEM IL (not Medium/Low that the current user is), so it will also be a good idea to check if the suspect process, if named any of the allowed processes, is running with the expected IL of these known allowed processes.

Think you're missing a check for allocation success before using the buffer.
if (!pTIL)
return 0

Hi team,

First of all, thank you for your great work. I have an issue related to GUI.

I´ve installed Raccine using option 1 (all possible methods), then I test with a sample of ransomware and it works perfectly.

If I choose option 4 (Disable GUI elements), then I execute the same ransomware sample, and Raccine can´t block it.

Thank you.

add option to email IT when raccine is activated.

Hi. I have tried to install Raccine in a folder different that C:\Program Files so I changed the install-raccine.bat creating a new variable called %RaccinePath% instead of %ProgramFiles% and setting this new variable to the value C: I also changed the reg-patches to point to the new folder. So when I launch the batch file with argument FULL it seems that it has been installed correctly. Raccine is installed in C:\Raccine, the registry items are pointing correctly at the new folder, etc... but when I run the wmic delete just a test I get the error "Can not open C:\ProgramData\Raccine\Raccine_log.txt for writing.". I have tried other ways to Raccine to detect an attack but Raccine warning is not open. So, the question is can be Raccine installed in a different folder than the default one?

When I talked to @mback2k yesterday, he recommended to keep the test cases in a separate workflow.

Version 1.4.2 installs correctly, but in version 1.4.3, the installer doesn't open. When I open Raccine.exe it does not open. When I open install-raccine.bat it gives the following error:

WARNING: you may have downloaded the source code only or an Antivirus has deleted an important part of the package
Make sure to download a package that contains the compiled binaries by downloading a package from the RELEASE section.
https://github.com/Neo23x0/Raccine/releases
The installer will exit now ..

Thanks

Hi,

There is something that look a little weird in the implementation.
When Raccine is call viaimage file execution options, I guess that is it looking for a temporary folder to process yara files. (RaccineUserContext if I'm correct).
If this folder doens't exist, it seems that yara file are not processed and the program is run whatever it's safe or not.

The problem is that this folder is created by RaccineSettings.exe which is launched via a registry value placed in HKCU ( the profile of the user who did the installation =>surely an IT admin). Any other user or remote execution that don't load a user profile will fall in the case explainned just above.

Are my guessings correct ? how can we solve that issue ?
Can't we just create the folder in the Raccine.exe itself if it doesn't exist instead of in the RaccineSettings.exe?

thanks for your answer.

Currently there are no coding conventions, and each piece of code uses another, which leads to chaos.
We should have a .clang-format file, probably just using one of the prebuilt styles (i.e. Microsoft, Google, ...).

I was testing Raccine in our environment, and I realized that the group policy settings don't work.

Raccine stores its settings in HKLM\SOFTWARE\Raccine, while the group policy places registry keys in HKLM\SOFTWARE\Policies\Raccine.

Hi,

By default, most of our servers are disallowed to connect to internet. In that case, Yara rules update can't take place as required.

Could it be possible to include a fall back solution like the folling one to make the updater to point to an internal server:

static public void Main(String[] args)
        {
            var contentsUrl = $"https://api.github.com/repos/Neo23x0/Raccine/contents/yara?ref=main";
            if(args.Length > 0)
            {
                contentsUrl = args[0];
            }
            SyncContentFromUrl(contentsUrl, "");
        }

This will allow us to specify an alternative URL directly on the command line

Probalbly an adaptation of the installation script will be required to ask for a value if required.

A better option will probably to rely on a config file with something like this :

if (File.Exists(appDir + @"\update.url"))
           {
               contentsUrl = File.ReadAllLines(appDir + @"\update.url")[0];
           }

This file could then simply included in the folder while deploying.

If C:\ProgramData\Raccine\Raccine_log.txt is created because of a program written to with elevated privileges, that log file will require elevated privileges to be written to. Similarly, if the log file is created by one user, the log file cannot be written to as another user.

Ideally, if Raccine_log.txt is to be created, it should be created in a way that allows it to be written to regardless of privilege level or specific user that triggered its creation.

hi,

We had a big trouble to identify what makes Raccine not working as intended on serval servers.
Once updated by RaccineRulesSync.exe, yara files are not parsed anymore.
Seems to be linked to the newline character used is those file ( LF vs CRLF ).

I suggest to add the following changes to the source code .
add a reference to System.Text.RegularExpressions in the project.

In the "SyncContentFromUrl" function add the following declaration :
String newLinePattern = "([^\r]\n)";

then replace :
file.WriteLine(yararule);
with
file.WriteLine(Regex.Replace(yararule, newLinePattern, "\r\n"));

This could prevent this kind of isssue again.
Bruno

The Raccine_log.txt file has more information than is provided to the Windows Event Log.
Can we add the additional Image details to the Application Event, to allow for better quality information to a SIEM

Sample of Windows Event:

"Raccine detected malicious activity: vssadmin delete shadows (simulation mode)"

Sample of equivalent raccine_log.txt:

2020-11-01 10:53:09 DETECTED_CMD: 'vssadmin.exe delete shadows COMMENT: Raccine detected malicious activity
2020-11-01 10:53:10 DETECTED_CMD: 'vssadmin.exe delete shadows ' IMAGE: 'explorer.exe' PID: 3312 ACTION: Whitelisted
2020-11-01 10:53:10 DETECTED_CMD: 'vssadmin.exe delete shadows ' IMAGE: '(unavailable)' PID: 3012 ACTION: Terminated
2020-11-01 10:53:10 DETECTED_CMD: 'vssadmin.exe delete shadows ' IMAGE: 'cmd.exe' PID: 7212 ACTION: Terminated

You may want to check out this article on parent pid spoofing.
https://pentestlab.blog/2020/02/24/parent-pid-spoofing/